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DETAILED ACTION 

The instant application having Application No. 10/534,541 is presented for 
examination by the examiner. Claims 11, 13, and 16 have been canceled. Claims 24 
and 25 have been added. Claims 1-10, 12, 14, 15, and 17-25 remain pending and have 
been examined. 

Response to Amendment 

Drawings 

The newly filed drawings are accepted. 

Specification 

The specification is objected to for not having the following US heading as 
applicable. 

Content of Specification 

(a) Title of the Invention : See 37 CFR 1 .72(a) and MPEP § 606. The title of 
the invention should be placed at the top of the first page of the 
specification unless the title is provided in an application data sheet. The 
title of the invention should be brief but technically accurate and 
descriptive, preferably from two to seven words may not contain more 
than 500 characters. 



(b) Cross-References to Related Applications : See 37 CFR 1 .78 and MPEP 
§201.11. 
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(c) Statement Regarding Federally Sponsored Research and Development : 
SeeMPEP§310. 

(d) The Names Of The Parties To A Joint Research Agreement : See 37 CFR 
1.71(g). 

(e) Incorporation-Bv-Reference Of Material Submitted On a Compact Disc: 
The specification is required to include an incorporation-by-reference of 
electronic documents that are to become part of the permanent United 
States Patent and Trademark Office records in the file of a patent 
application. See 37 CFR 1.52(e) and MPEP § 608.05. Computer 
program listings (37 CFR 1.96(c)), "Sequence Listings" (37 CFR 1.821(c)), 
and tables having more than 50 pages of text were permitted as electronic 
documents on compact discs beginning on September 8, 2000. 

(f) Background of the Invention : See MPEP § 608.01(c). The specification 
should set forth the Background of the Invention in two parts: 

(1 ) Field of the Invention : A statement of the field of art to which the 
invention pertains. This statement may include a paraphrasing of 
the applicable U.S. patent classification definitions of the subject 
matter of the claimed invention. This item may also be titled 
"Technical Field." 

(2) Description of the Related Art including information disclosed under 
37 CFR 1 .97 and 37 CFR 1 .98 : A description of the related art 
known to the applicant and including, if applicable, references to 
specific related art and problems involved in the prior art which are 
solved by the applicant's invention. This item may also be titled 
"Background Art." 

(g) Brief Summary of the Invention : See MPEP § 608.01 (d). A brief summary 
or general statement of the invention as set forth in 37 CFR 1 .73. The 
summary is separate and distinct from the abstract and is directed toward 
the invention rather than the disclosure as a whole. The summary may 
point out the advantages of the invention or how it solves problems 
previously existent in the prior art (and preferably indicated in the 
Background of the Invention). In chemical cases it should point out in 
general terms the utility of the invention. If possible, the nature and gist of 
the invention or the inventive concept should be set forth. Objects of the 
invention should be treated briefly and only to the extent that they 
contribute to an understanding of the invention. 
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(h) Brief Description of the Several Views of the Drawing(s) : See MPEP § 
608.01 (f). A reference to and brief description of the drawing(s) as set 
forth in 37 CFR 1.74. 

(i) Detailed Description of the Invention : See MPEP § 608.01(g). A 
description of the preferred embodiment(s) of the invention as required in 
37 CFR 1 .71 . The description should be as short and specific as is 
necessary to describe the invention adequately and accurately. Where 
elements or groups of elements, compounds, and processes, which are 
conventional and generally widely known in the field of the invention 
described and their exact nature or type is not necessary for an 
understanding and use of the invention by a person skilled in the art, they 
should not be described in detail. However, where particularly 
complicated subject matter is involved or where the elements, 
compounds, or processes may not be commonly or widely known in the 
field, the specification should refer to another patent or readily available 
publication which adequately describes the subject matter. 

(j) Claim or Claims : See 37 CFR 1 .75 and MPEP § 608.01 (m). The claim or 
claims must commence on separate sheet or electronic page (37 CFR 
1 .52(b)(3)). Where a claim sets forth a plurality of elements or steps, each 
element or step of the claim should be separated by a line indentation. 
There may be plural indentations to further segregate subcombinations or 
related steps. See 37 CFR 1 .75 and MPEP § 608.01 (i)-(p). 

(k) Abstract of the Disclosure : See MPEP § 608.01 (f). A brief narrative of the 
disclosure as a whole in a single paragraph of 150 words or less 
commencing on a separate sheet following the claims. In an international 
application which has entered the national stage (37 CFR 1 .491(b)), the 
applicant need not submit an abstract commencing on a separate sheet if 
an abstract was published with the international application under PCT 
Article 21 . The abstract that appears on the cover page of the pamphlet 
published by the International Bureau (IB) of the World Intellectual 
Property Organization (WIPO) is the abstract that will be used by the 
USPTO. See MPEP § 1893.03(e). 

(I) Sequence Listing. See 37 CFR 1 .821 -1 .825 and MPEP §§ 2421-2431 . 
The requirement for a sequence listing applies to all sequences disclosed 
in a given application, whether the sequences are claimed or not. See 
MPEP §2421.02. 



Claim Objections 
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Claims 2-6, 8-10, 14, 17-25 are objected to because of the following informalities: 
All of the dependent claims are objected to because they do not properly recite 

the invention entity of their respective claims. For example claim 2 should start by 

reciting "the" authentication system according to claim 1 . 

Claims 21-23 are objected for not further limiting their parent claims. These 

claims are directed to a computer readable storage medium instead further limiting the 

parent claims' statutory class. 



Claim Rejections - 35 USC §112 

The following is a quotation of the second paragraph of 35 U.S. C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

Claims 1-25 are rejected under 35 U.S.C. 112, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. Examiner has meticulously went over each claim. 
However due to the numerous errors there could be some not explicitly listed here. 
Examiner suggests Applicant carefully review and correct each claim to expedite 
prosecution and to make the claims easier to understand. 



As per claim 1 , the phrase "generating information for authentication from 
information" is indefinite. How does one distinguish between the former information and 
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the latter? It basically reads generating information from information. This cause an 
antecedent basis when the information if referenced later in the claim. The user 
authentication information, the packet, and the service are all defined more than once. 

As per claim 2, information relating to carries a dual meaning in the instance 
because a public key inherently relates to a private key and vice versa. Therefore this 
key information could be interpreted as information about the public key or the private 
key. The phrase means being means is indefinite. Phrases such as "processing means 
for performing a processing" are redundant and confusing. The packet and session 
secret key are defined more than once. 

As per claims 3 and 6, the address lacks antecedent basis because its previous 
basis was amended. 

As per claim 7, information relating to carries a dual meaning in the instance 
because a public key inherently relates to a private key and vice versa. Therefore this 
key information could be interpreted as information about the public key or the private 
key. The phrase "generating information for authentication from information" is 
indefinite. How does one distinguish between the former information and the latter? It 
basically reads generating information from information. This cause an antecedent 
basis when the information if referenced later in the claim. The term whose user is 
undefined. 

As per claim 8, the phrase "generating information for authentication by 
processing the information" is indefinite. How does one distinguish between the former 
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information and the latter? It basically reads generating information from information. 
There is a typo: "ket". 

As per claim 10, information is already defined in the parent claim. 

As per claim 12, information relating to carries a dual meaning in the instance 
because a public key inherently relates to a private key and vice versa. Therefore this 
key information could be interpreted as information about the public key or the private 
key. The phrase "information for authentication produced by processing information" is 
indefinite. How does one distinguish between the former information and the latter? It 
basically reads generating information from information. This cause an antecedent 
basis when the information if referenced later in the claim. A public key, a key 
information, and a packet are all defined more than once. In the second to last 
limitation, it is recited that processing is applied to the transmitted packet. How can 
processing be applied after the packet is already transmitted? 

As per claim 14, "a key information generating means" is defined for the second 
time. The phrase "a session dependent information" is indefinite. The context of the 
claim infers this may be a nonce or random number. There are appropriate terms well 
known in the art which would clear up this problem. Means being means is indefinite as 
well. 

As per claim 15, the allocated address lacks antecedent basis. A packet is 
defined and then so are packets. Then finally a packet is defined again. 
As per claim 17, a packet is again defined. 
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As per claim 19, the phrase "a session dependent information" is indefinite. The 
context of the claim infers this may be a nonce or random number. There are 
appropriate terms well known in the art which would clear up this problem. "The key 
information" lacks antecedent basis. 

As per claim 20, the address lacks antecedent basis. Also it seems this function 
was already carried out by the address comparison means in the parent claim. 

As per claims 21-23, it is unclear what is trying to be claimed by incorporating a 
computer readable storage medium into a system claim. 

As per claims 24 and 25, the phrase "for digital signature" is poor grammar. The 
issue of now defining steps is confusing because these claims have no steps nor are 
process claims. Therefore they lack antecedent bases. 

Response to Arguments 

Applicant's arguments filed 1/29/09 have been fully considered but they are not 
persuasive. With respect to amended claim 1 , Examiner finds Newcombe to teach the 
new limitations. Examiner has stated there are 35 USC 112 2nd paragraph problems 
with "authentication information generating means for generating information for 
authentication from information including the allocated address". Examiner maintains 
the combination of Newcombe and Arnold. Arnold teaches a server allocating 
addresses. Newcombe teaches using the IP addresses [including source address] and 
other identifying information to cryptographically generate a ticket (0025 and 0072). 
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The other new limitation relating to a ticket verifying means is taught by Newcombe. In 
paragraph (0056) the ADS provides storing of the ticket. Also in (0125), Newcombe 
teaches an embodiment where the content server [application server] performs the 
verifying of the ticket information. It is inherent that the content server has means to 
communicate with the ADS to provide ticket verification. 

Much of Applicant's argument is centered on the allegation that the Newcombe 
merely compares the local and remote IP address for authenticity. This may be one 
check for authenticy but not the most important one. In paragraph (0098) there is a 
provision which states that if a client is behind a NAT the remote IP address presented 
by the client and locally discovered IP address will be different. Therefore a mismatch 
does not definitively make the client unauthentic. So clearly Newcombe is not simply 
comparing the two as Applicant states. The real authentication come from decrypting 
the server readable portion of the ticket to obtain the address stored inside and 
comparing that the client's local source address (0091). 

With respect to the other independent claim sharing similar limitations, Examiner 
maintains those rejections as well. 

The amendments to the claims have removed the need to combine Newcombe 
and Arnold with Medvinsky. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 
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(a) A patent may not be obtained though the invention is not identically disclosed or described as 
set forth in section 1 02 of this title, if the differences between the subject matter sought to be 
patented and the prior art are such that the subject matter as a whole would have been obvious 
at the time the invention was made to a person having ordinary skill in the art to which said 
subject matter pertains. Patentability shall not be negatived by the manner in which the invention 
was made. 

Claims 1-10, 12, 14, 15, and 17-25 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Newcombe (US 2003/0172269 A1) in view of Arnold et al. (WO 
03/0551 70 A1). 

As per claim 1 , Newcombe teaches the limitation of "an authentication system in 
which an authentication server which authenticates a user, a user terminal which 
transmits a user authentication information, and an application server which provides a 
service to the user through the user terminal are connected together to enable a 
communication there between through a network" (Fig. 1; page 2, paragraph 0025) as 
the system includes a client that desires access to a content server, application server, 
or the like. The authentication manager includes an application authentication server 
and ticket granting server. 

Further, Newcombe teaches the limitation of "authentication means for 
authenticating a user based on the user authentication information transmitted as an 
authentication request from the user terminal" (page 3, paragraph 0044) as Application 
Authentication Server (AAS) is configured to authenticate a user. 

Furthermore, Newcombe teaches the limitations of "a ticket issuing means for 
issuing a ticket containing the address allocated by the address allocating means" and 
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"a ticket transmitting means for transmitting the ticket issued by the ticket issuing means 
to the user terminal" (page 4, paragraph 0044) as Application Authentication Server 
(AAS) is configured to provide the authenticated user one or more content tickets that 
enables authenticated user to access one or more content servers. The content ticket 
includes (page 4, paragraph 0048) the client's local and remote IP addresses. 

In addition, Newcombe teaches the limitation of "a user authentication 
information transmitting means for transmitting user authentication information to the 
authentication server for purpose of an authentication request" (page 4, paragraph 
0052) as clients are enabled to request access to servers, such as content servers by 
requesting content tickets from AAS. Clients are enabled to provide information 
associated with local and remote IP addresses to AAS as part of the request for content 
tickets. 

Additionally, Newcombe teaches authentication information generating means for 
generating information for authentication from information including the allocated 
address (0025). 

Additionally, Newcombe teaches the limitation of "a ticket reception means for 
receiving a ticket transmitted from the authentication server" (page 5, paragraph 0064) 
as Authentication Server (AS) determines the user is a valid user and provides client 
with a Ticket Granting Ticket. Where AS is a part of AAS (page 4, paragraph 0054). 

Also, Newcombe teaches the limitations of "means for transmitting a packet 
including the ticket to the application server for establishing a session" and "a service 
request means for transmitting a packet requesting a service to the application server" 
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(page 9, paragraph 01 13) as client is to be authenticated by the content server. Where 
(page 10, paragraph 01 14) authenticator and ticket is sent to the server. 

Moreover, Newcombe teaches the limitation of "a ticket memory means for 
storing the ticket transmitted from the user terminal" (Fig. 4; page 4, paragraph 0056) as 
ADS is configured to provide storage for information associated with a client, user, 
ticket, and the like. 

Newcombe teaches ticket verifying means for verifying the presence or absence 
of any forgery in the information for authentication in the ticket transmitted from the user 
terminal and storing the ticket in the ticket memory means in the absence of a forgery ( 
0091 and 0125). 

Furthermore, Newcombe teaches the limitation of "an address comparison 
means for determining whether or not the address contained in the ticket which is stored 
in the ticket memory means coincides with the source address of the service request 
packet which is transmitted from the user terminal through the session" (page 4, 
paragraph 0048) as Content server is also configured to read its portion of the content 
ticket to verify whether the sending client should be enabled access to the requested 
content. Where Newcombe teaches the process of validation (page 10, paragraph 
01 17) as a ticket, including an encrypted modified authenticator, is received. The client's 
local and remote IP addresses are obtained, and the encrypted modified authenticator 
is decrypted. Further, (page 10, paragraph 0119) a determination is made whether an 
remote IP address associated information provided be the client matches an IP address 
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obtained by a variety of approaches, including a system call, examination of TCP/IP 
packets associated with the client, and the like. 

Finally, Newcombe teaches the limitation of "a service providing means for 
transmitting to the user a packet which provides a service to the user when a 
coincidence between the addresses is determined by the address comparison means" 
(page 4, paragraph 0045) as Content server may include virtually any electronic device 
capable of storing content and sending the content to a requesting device. 

It is noted, however, that Newcombe does not teach the limitations of "an 
address allocating means for allocating an address to the user terminal for a successful 
authentication of the user", "means for setting up an address contained in the ticket as a 
source address for a packet which is to be transmitted from the user terminal." 

On the other hand, Arnold teaches the abovementioned limitation (page 5, lines 
25-29) as an IP address is assigned to the user/subscriber during the single sign-on 
authentication procedure performed in the network of the respectively underlying 
network service provider of the user or the like. 

It would have been obvious to one of the ordinary skill in the art at the time of the 
invention to incorporate teachings of Arnold into the system of Newcombe to allow the 
AAS to keep full control of the IP address assignment process in view of the limited pool 
of available IP addresses. 

With respect to claim 2, Newcombe teaches the user terminal has a key 
information relating to a public key of the user terminal (0029). 
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Newcombe teaches the limitation of "the ticket issuing means being means for 
issuing a ticket also containing the key information which is transmitted from the user 
terminal" (page 6, paragraph 0068) as Ticket Granting Server (TGS) is configured to 
receive the server readable portion of TGT and modified authenticatorfrom the user, 
and to provide a valid user with a content ticket that enables access to an identified 
content server. 

Further, Newcombe teaches the limitation of "the user authentication information 
transmitting means being means for transmitting the key information also together with 
the user authentication information" (page 4, paragraph 0052) as clients are enabled to 
provide information associated with local and remote IP addresses to AAS as part of the 
request for content tickets. Furthermore, (page 6, paragraph 0068) Ticket Granting 
Server (TGS) is configured to receive the server readable portion of TGT and modified 
authenticator from the user, where (page 6, paragraph 0072) the server readable 
portion may include information associated with the client's local and remote IP 
addresses, the user's account, lifetime parameter, a portion of application content, such 
as application title, version information or the like, and a session key. 

Furthermore, Newcombe teaches the limitations of "a session key generating 
means for calculating a session secret key which is shared with the application server 
from a private key of the user terminal and a public key of the application server" and "a 
session key generating means for calculating a session secret key which is shared with 
the user terminal from the private key of the application server and a public key of the 
user terminal" (paragraph 0029) as In one embodiment of the invention, for asymmetric 
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encryption, 1024-bit keys may be used with RSA. These keys may be formatted 
according to the "OAEP (with SHA1 )" scheme provided by RSA, or any other formatting 
appropriate. For example, RSA may be used in conjunction with a ticket (which is 
described in more detail below) to decrypt data in the ticket to recover an AES key that 
may then be used to decrypt other portions of a ticket. SHA1 stands for Secure Hash 
Algorithm 1 . SHA1 is a cryptographic hash algorithm that produces a 160-bit hash value 
from an arbitrary length string. In other embodiments of the invention, other private 
key/public key encryption algorithms may be used (such as the ones listed above) with 
the same or different key sizes. 

In addition, Newcombe teaches the limitation of "a packet cryptographic 
processing means for performing a processing upon a packet transmitted from the user 
terminal to guarantee that there is no forgery in the packet by the session secret key" 
(page 5, paragraph 0065) as client proves that it can decrypt the client readable portion 
be extracting the session key from client readable portion and using it to encrypt 
subsequent authenticators. 

Also, Newcombe teaches the limitations of "a packet verifying means for 
confirming whether or not the packet received from the user terminal is forged using the 
session secret key" and "a ticket verifying means for verifying whether or not the key 
information contained in the ticket of the packet which has been verified as not being 
forged is information relating to the private key of the user terminal" (page 5, paragraph 
0065) as the server decrypts the server readable portion and extracts its copy of the 
session key, and uses that to decrypt the authenticator. If the authenticator is decrypted 
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successfully then this proves beyond reasonable doubt that the client had the correct 
session key. 

Finally, Newcombe teaches the limitation of "the ticket verifying means 
preventing the ticket from being stored in the ticket memory means when the key 
information is not relating information" (Fig. 5; page 7, paragraph 0086 and 0087) as a 
client interacts with a Ticket Granting Server (TGS) to obtain a content ticket. If the 
client is unsuccessful, the processing ends. 

With respect to claim 3, Newcombe teaches the limitation of "a transmission of 
the ticket from the user terminal takes place in terms of a packet" (Abstract) as a packet 
that includes the authenticator is sent to a server. 

In addition, Newcombe teaches the limitation of "an address collating means for 
collating the address in the ticket transmitted from the user terminal against the source 
address of the packet which includes the ticket and for preventing the ticket from being 
stored if a coincidence is not found" (Fig. 5; page 7, paragraph 0086 and 0087) as a 
client interacts with a Ticket Granting Server (TGS) to obtain a content ticket. If the 
client is unsuccessful, the processing ends. Where (page 10, paragraph 0119) a 
determination is made whether an remote IP address associated information provided 
be the client matches an IP address obtained by a variety of approaches, including a 
system call, examination of TCP/IP packets associated with the client, and the like. 

With respect to claim 4, Newcombe teaches the limitation of "the authentication 
server comprises a user identifier allocating means for allocating a user identifier which 
corresponds to the authenticated user in response to the authentication request for a 
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successful authentication of the user" (page 4, paragraph 0057) as Authentication 
Server (AS) is enabled to authenticate a user. 

In addition, Newcombe teaches the limitation of "the ticket issuing means being 
means for issuing the ticket inclusive of the user identifier" (page 5, paragraph 0064) if 
AS determines that the user is a valid user, AS provides the client with a ticket granting 
ticket, that typically includes a server readable portion, client readable portion, and an 
authenticator. 

With respect to claim 5, Newcombe teaches the limitation of "authentication 
information generating means is configured to process the information including the 
allocated address" (0025) with a shared secret key which is shared beforehand between 
the authentication server and the application server" (page 6, paragraph 0068) as TGS 
is configured to receive the server readable portion of the TGT and modified 
authenticator from the user, and to provide a valid user with a content ticket that 
enables access to an identified content server. Furthermore, (page 6, paragraph 0071) 
the content ticket may include a server readable portion that is signed by a public 
encryption key associated with TGS. 

In addition, Newcombe teaches the limitation of "the ticket verifying means of the 
application server configured to further verify information for authentication contained in 
the ticket using a shared secret key which is beforehand shared between the 
authentication server and the application server" (Fig. 13; page 10, paragraphs 0126 - 
01 27) as a determination is made whether the client is authentic. If it is determined that 
the client is authentic, a determination is made whether information within the content 
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ticket is valid. If the client is found not to be authentic or the information is not valid, an 
error message is sent to the client. Furthermore, (page 10, paragraph 01 14) the 
authentication used for client authentication is encrypted using the session key obtained 
from the authentication server. 

With respect to claim 6, Newcombe teaches the limitation of "the application 
server comprises an address collating means for collating the address in the ticket 
which is transmitted from the user terminal against the source address of the packet 
which includes the ticket and for preventing the ticket from being stored when a 
coincidence is not found" (Fig. 5; page 7, paragraph 0086 and 0087) as a client 
interacts with a Ticket Granting Server (TGS) to obtain a content ticket. If the client is 
unsuccessful, the processing ends. Where (page 10, paragraph 01 19) a determination 
is made whether an remote IP address associated information provided be the client 
matches an IP address obtained by a variety of approaches, including a system call, 
examination of TCP/IP packets associated with the client, and the like. 

With respect to independent claim 7, Newcombe teaches the limitation of "An 
authentication server in an authentication system in which an authentication of a user 
utilizing a user terminal is performed through the user terminal by an authentication 
server and a request is made to an application server to provide a service on the basis 
of the authentication" (Fig. 1; page 2, paragraph 0025) as the system includes a client 
that desires access to a content server, application server, or the like. The 
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authentication manager includes an application authentication server and ticket granting 
server. 

Further, Newcombe teaches the limitation of "a user authentication information 
reception means for receiving an authentication request inclusive of a user 
authentication information and key information relating to a public key of the user 
terminal both transmitted from the user terminal" (page 3, paragraph 0044) as 
Application Authentication Server (AAS) is configured to authenticate a user. Where, 
(page 4, paragraph 0052) clients are enabled to request access to servers, such as 
content servers by requesting content tickets from AAS. Clients are enabled to provide 
information associated with local and remote IP addresses to AAS as part of the request 
for content tickets. 

Furthermore, Newcombe teaches the limitation of "an authentication means to 
which the user authentication information of the received authentication request is input 
and which authenticates the user on the basis of the user authentication information and 
providing a signal indicating a successful authentication upon a successful 
authentication" (page 5, paragraph 0064) as Authentication Server (AS) determines the 
user is a valid user and provides client with a Ticket Granting Ticket. Where AS is a part 
of AAS (page 4, paragraph 0054) and (page 10, paragraph 01 15) a signal is provided 
that indicates whether the client is authentic or not. 

Additionally, Newcombe teaches authentication information generating means for 
generating information for authentication from information including the allocated 
address (0025). 
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In addition, Newcombe teaches the limitations of "a ticket issuing means for 
issuing a ticket containing the allocated address, the key information, and the 
information for authentication" (0025) and "and a ticket transmitting means to which the 
ticket is input and which transmits the ticket to the user terminal" (page 4, paragraph 
0044) as Application Authentication Server (AAS) is configured to provide the 
authenticated user one or more content tickets that enables authenticated user to 
access one or more content servers. The content ticket includes (page 4, paragraph 
0048) the client's local and remote IP addresses. 

It is noted, however, that Newcombe does not teach the limitation of "an address 
allocating means for allocating an address to the user terminal in response to an input 
of the signal indicating a successful authentication of the user." 

On the other hand, Arnold teaches the abovementioned limitation (page 5, lines 
25-29) as an IP address is assigned to the user/subscriber during the single sign-on 
authentication procedure performed in the network of the respectively underlying 
network service provider of the user or the like. 

It would have been obvious to one of the ordinary skill in the art at the time of the 
invention to incorporate teachings of Arnold into the system of Newcombe to allow the 
AAS to keep full control of the IP address assignment process in view of the limited pool 
of available IP addresses. 

With respect to claim 8, Newcombe teaches the limitation of "an authentication 
information generating means for generating an authentication information for 
information which includes at least the allocated address using a shared secret key 
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which is beforehand shared between the authentication server and the application 
server" (page 4, paragraph 0044) as Application Authentication Server (AAS) is 
configured to provide the authenticated user one or more content tickets that enables 
authenticated user to access one or more content servers. The content ticket includes 
(page 4, paragraph 0048) the client's local and remote IP addresses. Furthermore, 
(page 5, paragraph 0065) the client readable portion [of the ticket] is signed with the 
private key of the authentication server. 

With respect to claim 9, Newcombe teaches the limitation of "the authentication 
server comprises a user identifier allocating means for allocating a user identifier which 
corresponds to the authenticated user in response to the authentication request for a 
successful authentication of the user" (page 4, paragraph 0057) as Authentication 
Server (AS) is enabled to authenticate a user. 

In addition, Newcombe teaches the limitations of "authentication information 
generating means is configured to process the information including the allocated 
address, the key information, and the user identifier to produce information for 
authentication and the ticket issuing means is configured to combine at least the 
information for authentication, the allocated address, the key information and the user 
identifier to form the ticket" (0025) and "and a ticket transmitting means to which the 
ticket is input and which transmits the ticket to the user terminal" (page 4, paragraph 
0044) as Application Authentication Server (AAS) is configured to provide the 
authenticated user one or more content tickets that enables authenticated user to 
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access one or more content servers. The content ticket includes (page 4, paragraph 
0048) the client's local and remote IP addresses. 

As per claim 10, Newcombe teaches the user identifier allocating means is 
configured to encrypt information which directly identifies the user by using an identifier 
generating secret key of the authentication server to produce the user identifier (0065). 

As per claim 12, Newcombe teaches a user terminal in an authentication system 
in which an authentication of a user utilizing a user terminal is performed by an 
authentication server and a request to provide a service is made to an application 
server on the basis of the authentication (0052), comprising: 

a ticket reception means for receiving a ticket transmitted from the authentication 
server (0064), key information relating to a public key of the user terminal (0029) and 
information for authentication produced by processing information including the 
allocated address and the key information (0065); 

a session establishing means to which the ticket is input and which transmits a 
packet including the ticket to the application server for establishing a session with the 
application server (0047); 

a service request means for transmitting a packet representing a service request 
to the application server through the established session (0046); 

a key information generating means to which a public key of the user terminal is 
input and which generates a key information relating to the public key of the user 
terminal (0025 and 0029); 
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a session key generating means to which a private key of the user terminal and 
an public key of an application server are input and which calculates a session secret 
keg which is shared with the application server (0029); 

and a packet cryptographic processing means to which a packet to be 
transmitted from the user terminal and the session secret key are input and which 
applies a processing to the transmitted packet which guarantees that there is no forgery 
in the packet by the session secret key (0065); 

a user authentication information transmitting means configured to transmit the 
key information together with the user authentication information to the authentication 
server (0052 and 0072). 

It is noted, however, that Newcombe does not teach the limitations of "an 
address allocating means for allocating an address to the user terminal for a successful 
authentication of the user", "means for setting up an address contained in the ticket as a 
source address for a packet which is to be transmitted from the user terminal." 

On the other hand, Arnold teaches the abovementioned limitation (page 5, lines 
25-29) as an IP address is assigned to the user/subscriber during the single sign-on 
authentication procedure performed in the network of the respectively underlying 
network service provider of the user or the like. 

It would have been obvious to one of the ordinary skill in the art at the time of the 
invention to incorporate teachings of Arnold into the system of Newcombe to allow the 
AAS to keep full control of the IP address assignment process in view of the limited pool 
of available IP addresses. 
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As per claim 14, Newcombe teaches a key information generating means to 
which an authentication purpose shared secret key (0029) which is shared with the 
application server and a session dependent information which changes each time 
(0025) a session is established are input and which generates a key information by 
processing the session dependent information by the authentication purpose shared 
secret key (0031 ); 

the user authentication information transmitting means being means to which the 
key information is also input and which transmits the key information together with the 
user authentication information (0052 and 0072). 

As per claim 15, Newcombe teaches an application server in an authentication 
system in which an authentication of a user utilizing a user terminal is performed by an 
authentication server and a request to provide a service is made to an application 
server on the basis of the authentication (0045); comprising 

a session establishing means for establishing a session with a user terminal 
(0047); 

a ticket memory means in which a ticket transmitted from the user terminal is 
stored (0056); 

an address comparison means to which a source address of a service request 
packet which is transmitted from the user terminal and received through the established 
session is input and which determines whether or not the source address coincides with 
the address of the user terminal contained in the ticket stored in the ticket memory 
means (0048); 
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and a service providing means-which transmits packets for providing a service to 
the user to the user terminal when the output of the address comparison means 
indicates a coincidence (0045); 

wherein said session establishing means comprises ticket verifying means for 
verifying authenticity of the ticket, which is received through a packet from the user 
terminal for establishing the session, by checking the information for authentication 
contained in the ticket and preventing the ticket from being stored in the ticket memory 
means when verification is not successful (0049). 

It is noted, however, that Newcombe does not teach the limitation of "an 
allocated address". 

On the other hand, Arnold teaches the abovementioned limitation (page 5, lines 
25-29) as an IP address is assigned to the user/subscriber during the single sign-on 
authentication procedure performed in the network of the respectively underlying 
network service provider of the user or the like. 

With respect to claim 17, Newcombe teaches the limitation of "a session key 
generating means for calculating a session secret key which is shared with the user 
terminal from a private key of the application server and an public key of the user 
terminal" (paragraph 0029) as In one embodiment of the invention, for asymmetric 
encryption, 1024-bit keys may be used with RSA. These keys may be formatted 
according to the "OAEP (with SHA1 )" scheme provided by RSA, or any other formatting 
appropriate. For example, RSA may be used in conjunction with a ticket (which is 
described in more detail below) to decrypt data in the ticket to recover an AES key that 



Application/Control Number: 10/534,541 Page 26 

Art Unit: 2431 

may then be used to decrypt other portions of a ticket. SHA1 stands for Secure Hash 
Algorithm 1 . SHA1 is a cryptographic hash algorithm that produces a 160-bit hash value 
from an arbitrary length string. In other embodiments of the invention, other private 
key/public key encryption algorithms may be used (such as the ones listed above) with 
the same or different key sizes. 

In addition, Newcombe teaches the limitation of "a packet verifying means for 
verifying whether or not a packet received from the user terminal is forged using the 
session secret key and for preventing the ticket from being stored in response to a 
verification output indicating the presence of a forgery" (page 5, paragraph 0065) as the 
server decrypts the server readable portion and extracts its copy of the session key, and 
uses that to decrypt the authenticator. If the authenticator is decrypted successfully then 
this proves beyond reasonable doubt that the client had the correct session key. 

As per claim 18, Newcombe teaches the ticket verifying means comprises 
collating means for verifying, when the received to which a packet which has been 
verified by the packet verifying means as not forged, whether or not the key information 
contained in the ticket corresponds to the public key of the user terminal which has 
been used in the calculation of the session secret key (0029). It is inherent that you 
must use the appropriate keys given one knows how the encryption process was done 
to verify the lack of forgery. 

With respect to claim 19, Newcombe teaches the limitation of "the ticket verifying 
means is means which an authentication purpose shared secret key which is shared 
with the user terminal and a session dependent information which changes each time a 
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session is established are input and which processes the session dependent 
information using the authentication purpose shared secret key, collates a result of the 
processing against the key information in the ticket and verifies the authenticity of the 
ticket by seeing whether or not a matching between the result of processing and the key 
information applies" (page 4, paragraph 0048) as Content server is also configured to 
read its portion of the content ticket to verify whether the sending client should be 
enabled access to the requested content. Where the client is authenticated using the 
modified authenticator, and (page 2, paragraph 0025) the modified authenticator 
includes a timestamp that is combined with a cryptographically strong digest of a 
concatenation of the local and remote IP addresses associated with the client. The 
modified authenticator is directed at binding the timestamp to a single client to minimize 
theft and reuse of an authenticator. 

With respect to claim 20, Newcombe teaches the limitation of "he ticket verifying 
means comprises means for verifying whether or not the source address of the received 
packet coincides with the address contained in the ticket within the packet and for 
preventing the ticket from being stored in response to a detection output which indicates 
a non-coincidence" (page 4, paragraph 0048) as Content server is also configured to 
read its portion of the content ticket to verify whether the sending client should be 
enabled access to the requested content. Where Newcombe teaches the process of 
validation (page 10, paragraph 01 17) as a ticket, including an encrypted modified 
authenticator, is received. The client's local and remote IP addresses are obtained, and 
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the encrypted modified authenticator is decrypted. Further, (page 10, paragraph 0119) a 
determination is made whether an remote IP address associated information provided 
be the client matches an IP address obtained by a variety of approaches, including a 
system call, examination of TCP/IP packets associated with the client, and the like. 
Furthermore, (Figs. 5 and 13; page 10, paragraph 0127) if the client is found not to be 
authentic or the information is not valid, an error message is sent to the client and the 
process returns to block 510 of Fig. 5, and consequently ends. 

With respect to claim 21 , it is rejected in view of the reasons stated in the 
rejection of independent claim 7. 

With respect to claim 22, it is rejected in view of the same reasons as stated in 
the rejection of independent claim 12. 

With respect to claim 23, it is rejected in view of the same reasons as stated in 
the rejection of independent claim 15. 

As per claim 24, Newcombe teaches the authentication server has a secret key 
and public key for digital signature (0029), the step of generating the information for 
authentication at the authentication server is a step for computing a digital signature on 
the information including the allocated address using the secret key for the digital 
signature (0029), 

the ticket verifying step at the application server is a step for verifying the 
presence or absence of any forgery in the information for authentication in the ticket 
using the public key of the authentication server (0065). 
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As per claim 25, Newcombe teaches the authentication server has a secret key 
and a public key for digital signature (0029), and said ticket issuing means comprises: 
an authentication information generating means for computing a digital signature on the 
information including at least the allocated address using the secret key for the digital 
signature to produce the information for authentication so that the application server can 
verify the presence or absence of any forgery in the information for authentication in the 
ticket using the public key of the authentication server (0065-0066). 



Conclusion 



Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See M PEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 
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A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is 
(571)270-7316. The examiner can normally be reached on Monday - Thursday, 7:30am 
- 5:00pm, EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
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published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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Supervisory Patent Examiner, Art Unit 2431 



